Introduction
Walmart and Hurricane Katrina
1.a) Why was Walmart able to respond quickly?
Walmart was able to respond quickly because it had a disaster preparedness mechanism in place that was well trained and operationally proficient. They had detailed business continuity plans, a full-time staff, a crises command center, and an economic need to get into business back as soon as possible.
b) List at least three actions that Walmart took that you might not have thought of.
Three actions that Walmart took that I might not have thought of include sending additional security personnel to stores in preparation for possible looting, providing meals, ammunition, etc. to local law enforcement for free, ordering 40 emergency power generators for stores that lacked them.
Walmart sent out bleach and mops to its stores.
Walmart sent ammunition and protective gear for police and relief workers.
Walmart developed a business continuity center which specializes in disaster planning.
Incidents Happen
2.a) Can good planning and protection eliminate security incidents?
No amount of planning can eliminate security incidents, but good planning can provide a baseline to build off of to recover quickly.
b) What three things are successful attacks commonly called?
Successful attacks are commonly called security incidences, breaches, and compromises.
Incident Severity
3.a) What are the four severity levels of incidents?
The four severity levels of incidents are false alarms, minor incidents, major incidents, and disasters
b) What is the purpose of a CSIRT?
The purpose of a CSIRT is to respond to severe computer security incidents with impacts that are too large for the on-duty IT staff to handle.
c) From what parts of the firm do its members come?
CSIRT members come from legal, PR, IT, and senior management.
d) What is business continuity?
Business continuity is the maintenance of the day-to-day revenue generating operations of the firm.
e) Who should head the business continuity team?
A senior manager should head the business continuity team.
Speed and Accuracy
4.a) Why is speed of response important?
Speed of response is important because it can reduce damage. The attacker will have less time to do damage, the attacker cannot burrow as deeply into the system and become very difficult to detect, and speed is also necessary for recovery.
b) Why is accuracy of response important?
Accuracy of response is equally as important as speed. There is a common mistake to act on incorrect assumptions. If the problem is misdiagnosed or the wrong approach is taken, things can get much worse.
c) Define incident response in terms of planning.
Incident response is reacting to incidents according to plan.
d) Why are rehearsals important?
Rehearsals improve speed and accuracy. Rehearsals are critical because no plan is useful until it is tested to find out its faults in implementation.
e) What is a walkthrough or table-top exercise?
A walkthrough or table-top exercise is where managers and other key personnel get together and discuss, step by step, what each will do during an incident. These exercises also involve people from many departments.
f) Why is a live test better?
Live tests are better than walkthroughs because live tests reveal subtleties that walkthroughs may miss or may not be able to address.
g) What is the problem with live tests?
The problem with live tests is that they are very expensive.
The Intrusion Response Process for Major Incidents
Detection, Analysis, and Escalation
5.a) Distinguish between detection and analysis.
Detection is learning that an incident has occurred. Analysis is a deeper understanding of the incident to determine its damage potential and to gather information needed to begin containment and recovery.
b) Why is good analysis important for the later stages of handling an attack?
When proper analysis is done and gives good information, the company can proceed effectively through later stages of handling an attack.
c) What is escalation?
Escalation is passing the incident up to the CSIRT or business continuity team.
Containment
6.a) What is containment?
Containment is stopping the damage.
b) Why is disconnection undesirable?
Disconnection is undesirable because it prevents legitimate business users from getting to a necessary server, which amounts to lost revenue.
c) What is black holing?
Black holing the attacker’s IP address means to drop all future packets from that that IP address.
d) Why may it only be a temporary containment solution?
Black holing is usually only effective against attacks from amateur hackers that do not have the resources to use bots or other agents to continue an attack.
e) Why might a company allow an attacker to continue working in the system for a brief period of time?
A company may allow an attacker to continue working in a system for a brief period of time in order to collect data on what the attacker is doing in order to collect evidence for prosecution.
f) Why is this dangerous?
The longer attackers are in a system, the more invisible they become through the deletion of IDS logs, and the more backdoors and other damage the attackers can create.
g) Who should make decisions about letting an attack continue or disconnecting an important system?
Senior business executives should make the decision to let an attack continue.
Recovery
7.a) What are the three major recovery options?
1. Repair during continuing server operation
2. Restoration from back up tapes
3. Total software reinstallation
b) For what two reasons is repair during continuing operation good?
Repair during continuing server operation might be good because doing this on a server with a critical function keeps those services available to users. It also means that no data is lost because there is no need to resort to backup tapes, which only contain information since the last backup.
c) Why may it not work?
Unfortunately, it is very difficult to root out all of the Trojan horses, registry entries, rootkits, and other unpleasant surprises planted by an attacker. For a virus or worm attack, there sometimes are programs that remove the specific artifacts created by the specific attack. For handcrafted break-ins, however, there is no general detection program, and there always is a strong concern that “we may have missed one.”
d) Why is the restoration of data files from backup tapes undesirable?
Restoration of data files from tape takes a long time and data collected since the last backup will be lost.
e) What are the potential problems with total software reinstallation?
Total software reinstallation does not address lost data since last backup and the software will have to be re-baselined to proper security, a time consuming process.
f) How does having a disk image reduce the problems of total software reinstallation?
Disk imaging reduces the problem of having to re-baseline the system to proper security levels.
Apology
8.What are the three rules for apologies?
The three rules of apologies are acknowledge responsibility and harm, explain what happened, and explain follow on actions and compensation if any.
Punishment
9.a) Is it easier to punish employees or to prosecute outside attackers?
It is easier to punish employees than to prosecute outside attackers.
b) Why do companies often not prosecute attackers?
Companies do not often prosecute attackers because prosecution is expensive (total cost and effort), with a low probability of success, and the possible loss of reputation from a public prosecution showing it could not prevent the attack in the first place, and worse if they lose the prosecution.
c) What is forensics evidence? Contrast what cybercrimes the FBI and local police investigate.
Forensic evidence is evidence that is acceptable for court proceedings. The FBI investigates matters of interstate commerce and some other attacks. Local police investigate violations of local and state laws.
d) Why should both be called?
Both should be called because one or both may have jurisdiction based upon the circumstances of the incident.
e) Under what conditions will you need to hire a forensics expert?
For civil lawsuits the company must use a certified forensics expert to collect data and interpret it in court. If it attempts to collect evidence on its own, the evidence probably will not be permissible in court.
f) Why should you hire a forensics expert rather than doing your own investigation?
A forensic expert should be hired because they are experts in the field and know how best to handle evidence once detected. Also, they are allowed to give interpretative testimony.
g) What is the chain of evidence, and why is documenting it important?
Chain of evidence is the documented history of all transfer of evidence between people and all actions taken to protect the evidence while in each person’s possession. Without this documentation, the evidence may be rejected from being used in court.
Postmortem Evaluation
10.Why should companies undertake a postmortem evaluation after an attack?
Conducting an after action review allows the company to determine what went wrong or right after an attack in order to improve the response process.
Organization of the CSIRT
11.a) Why should a senior manager head the CSIRT?
Because all security decisions during a major incident are business decisions, a senior manager should head the CSIRT.
b) Why should members of affected line departments be on CSIRT?
Decisions cannot be made intelligently without an understanding of how affected line department will be impacted.
c) Who is the only person who should speak on behalf of the firm?
The only person that should speak on behalf of a firm should be the PR director.
d) Why should the firm’s legal counsel be on the CSIRT?
The firm’s legal counsel should be on the CSIRT to place actions in the proper legal framework and advise on the legal implications of various actions.
e) Why should a firm’s human resource department be on the CSIRT?
The firms HR department should be on the CSIRT to offer guidance on labor issues and implement sanctions on employees, if required.
Legal Considerations
Criminal versus Civil Law
12.a) What different actions do criminal and civil law deal with?
Criminal law deals with violations of criminal statutes. Civil law deals with interpretations of rights and duties that companies or individuals have relative to each other.
b) How do punishments differ in civil and criminal law?
Criminal punishments include jail time and fines; civil penalties only result in fines and or orders to a defendant not to take certain actions.
c) Who brings lawsuits in civil and criminal cases?
Prosecutors charge defendants in a criminal case; plaintiffs bring a case against a defendant in a civil case.
d) What is the normal standard for deciding a case in civil and criminal trials?
Criminal trials require proving a defendant’s guilt beyond a reasonable doubt; civil trials require proving a defendants liability with a preponderance of the evidence (>50%).
e) What is mens rea?
Mens rea is when the prosecutor must prove the defendant was in a certain mental state, such as having the intention to commit the act.
f) In what type of trial is mens rea important?
Mens rea is important in criminal cases.
g) Can a person be tried separately in a criminal trial and later in a civil trial?
Yes. A defendant whose actions violate both criminal and civil rules may be criminally prosecuted by the state and later civilly sued by a victim for monetary damages.
Jurisdictions
13.a) What is case law?
Decisions based on individual cases set precedents for how laws are interpreted in trials.
b) What are jurisdictions?
Jurisdictions are areas of responsibility within which authorities can make and enforce laws but beyond which they cannot.
c) What is cyberlaw?
Cyberlaw is any law dealing with information technology.
d) What are the three levels of U.S. federal courts?
The three levels of U.S. federal courts are
•94 U.S. District Courts
•13 U.S. Circuit Courts of Appeal
•The U.S. Supreme Court
e) Which levels can create precedents?
The U.S. Circuit Courts of Appeal and Supreme Court can create precedents.
f) Does federal jurisdiction typically extend to computer crimes that are committed entirely within a state and that do not have a bearing on interstate commerce?
Crimes that are committed entirely within a state do not normally meet federal jurisdiction guidelines.
g) Who is likely to investigate a cybercrime that takes place within a city?
The local police are likely to investigate a cybercrime that takes place within a city.
h) Are international laws regarding cybercrime fairly uniform?
No, they are not. Internationally, cybercrime laws vary widely.
i) Why should companies that do business only within a country be concerned about international cyberlaw?
Because the laws involving computers are different between countries and are largely and rapidly changing. International law is important for multinational companies and even for companies who only deal with customers or suppliers in other countries.
Evidence and Computer Forensics
14.a) Why will courts not admit unreliable evidence?
Courts will not admit unreliable evidence because there is a belief that juries cannot be trusted to evaluate unreliable evidence properly.
b) What a computer forensics expert?
A computer forensics expert is a professional who is trained to collect and evaluate computer evidence in ways that are likely to be admissible in court.
c) What type of witness is allowed to interpret facts for juries?
Expert witnesses are allowed to interpret facts for juries.
d) Why should companies work with forensics professionals before they have a need for them?
Given the importance of admissibility, companies should use forensics experts when prosecution is anticipated and they should have prior discussion with their chosen forensics experts to understand what may be required.
U.S. Federal Cybercrime Laws
15.a) What section of which title of the United States Code prohibits hacking?
18 U.S.C. § 1030 is the U.S. Code that prohibits hacking.
b) What other attacks does it prohibit?
It also prohibits DoS and malware attacks.
c) Does it protect all computers?
18 U.S.C. § 1030 only protects “protected computers” including government computers, financial institution computers, and any computer used in interstate or foreign commerce or communications.
d) What are damage thresholds?
Damage thresholds are minimum amounts of damage that must occur before attackers are in violation of the law.
e) What types of acts does 18 U.S.C § 2511 prohibit?
18 U.S.C. § 2511 prohibits the interception of electronic messages, both en route and after the message is received and stored, with the exception of e-mail systems owned by a company.
Intrusion Detection Systems (IDSs)
16.a) What is an IDS?
An intrusion detection system is software and hardware that captures suspicious network and host activity data in event logs and provides automatic tools to generate alarms, as well as query and reporting tools to help administrators analyze the data interactively during and after an incident.
b) Is an IDS a preventative, detective, or restorative control?
It is only a detective control. Of course, if attackers believe that they are likely to be caught by the IDS, it may have preventative benefits.
c) What are false positives?
False positives in an IDS are known as false alarms.
d) Why are false positives problems for IDSs?
IDSs tend to be ignored if they generate many false positives.
Functions of an IDS
17.a) What are the four functions of IDSs?
The four functions of IDSs are logging, automated analysis, administrator actions, and management.
b) What are the two types of analysis that IDSs usually do?
Two types of analysis IDSs usually do are attack signature detection and anomaly detection.
c) What types of action did this section mention?
Actions mentioned include alarms and log summary reports with interactive manual log analysis tools.
d) What information should alarms contain?
Alarms should give the security administrator a description of what the problem is, a way to test the alarm for accuracy, and advice about what the security administrator should do.
e) What is the purpose of log summary reports?
Log summary reports list various types of suspicious activity. They also indicate threat priority by type of threat or by statistical analysis indicating high frequency. The purpose of log summary reports is to give IDS administrators notice of threats that aren’t high risk or detected by alarms.
f) Describe interactive log file analysis.
Interactive log file analysis allows administrators to drill down into log files to better understand an ongoing or completed attack while filtering out irrelevant entries.
Distributed IDSs
18.a) What is the advantage of a distributed IDS?
A distributed IDS can collect data from many devices at a central manager console to allow a security manager to detect a more complex attack.
b) Name the elements in a distributed IDS.
There is a manager, integrated log file, agent host IDS, agent network IDS, and an IDS vendor.
c) Distinguish between the manager and agents.
The agent collects event data and stores them in log files on the monitoring devices. The manager program is responsible for integrating the information from the multiple agents that run on multiple monitoring devices.
d) Distinguish between batch and real-time transfers for event data.
In batch transfers, the agent waits until it has several minutes or several hours of data and then sends a block of log file data to the manager.
In real-time transfers, each event’s data goes to the manager immediately.
e) What is the advantage of each type?
Batch transfer is the least expensive (has the lowest network load), while real-time transfer allows capturing of log files without worrying about attackers deleting log files.
f) What two types of communication must be secure?
Communication between IDS agents and manager should be secure in order to ensure an attacker cannot spoof either and cause mass confusion to the IDS.
Network IDSs (NIDSs)
19.a) At what information do NIDSs look?
NIDSs look at all information traveling through the network.
b) Distinguish between stand-alone NIDSs and switch-based or router-based NIDSs.
Stand-alone NIDSs are boxes located at various points in the network. They read and analyze all network frames that pass by them. They essentially are corporate-owned sniffers. Switch NIDSs and router NIDSs are switches and routers that have IDS software. Typically, these capture data on all ports.
c) What are the strengths of NIDs?
The strength of NIDSs is that they can see all packets passing through some locations in the network. Often, these packets are highly diagnostic of attacks.
d) What are the two weaknesses of NIDSs?
The two weaknesses of NIDSs are they leave blind spots on the network where no NIDSs are placed and NIDSs cannot read encrypted data.
Host IDSs
20.a) What is the major attraction of a HIDS?
The main attraction of HIDSs is that they provide highly specific information about what happened on a particular host. This is important for problem diagnosis.
b) What are the two weaknesses of host IDSs?
The two weakness of HIDSs are that they have limited views of what is happening on the network (can only see on that host) and HIDSs can be compromised if the system is owned by an attacker.
c) List some things at which host operating system monitors look.
Some things host operating system monitors look at are multiple failed logins, creating new accounts, adding new executables (programs—may be attack programs), modifying executables (installing Trojan horses does this), adding registry keys (changes how system works), and changing or deleting system logs and audit files.
Log Files
21.a) Why are integrated log files good?
Integrated log files are good because they are an aggregation of event logs from multiple IDSs.
b) Why are they difficult to create?
They are difficult to create because of format incompatibilities.
c) Explain the time synchronization issue for integrated log files.
If the times on the various IDSs are off by even a few thousandths of a second, it will be extremely difficult to see what is happening at a particular moment in time—especially if the attack is automated and occurs quickly.
d) How do companies achieve time synchronization?
Companies achieve time synchronization using the Network Time Protocol (NTP) service.
e) What is event correlation?
Event correlation is analysis of suspicious patterns in a series of events across multiple devices.
f) Distinguish between aggregation and event correlation.
Aggregation is the collection of all log files; event correlation requires analysis to determine related attack patterns.
g) Why is analyzing log file data difficult?
Analyzing log file data is difficult because the relevant event exists in much larger event streams that are logged.
h) In Error! Reference source not found., how long is the delay between the first attempted login and the second?
The delay is 44.28 seconds.
i) Does this indicate that the attack is a human attack or an automated attack?
This is most likely a human attack (based upon memory of the logs) because the attack is done in a reasonably human amount of time.
Managing IDSs
22.a) What is precision in an IDS?
Precision in IDS means that the IDS should report all attack events and report as few false alarms as possible.
b) What are false positives, and why are they bad?
False positives are also known as false alarms and they are bad because they will outnumber true alarms ten-to-one or even more. In fact, the large number of false positives generated by IDSs is the major problem with IDSs today, causing many firms to stop using them after a trial period.
c) What are false negatives, and why are they bad?
False negatives are failures to report true attack activities. They are bad because they fail to notify of a valid attack.
d) How can tuning reduce the number of false positives?
Tuning turns off unnecessary rules and reduces the severity level in the alarms generated by other rules to limit the total number of false positives.
e) What does an IDS do if it cannot process all of the packets it receives?
IDSs that are overwhelmed by packets will simply skip packets and possibly miss a valid suspicious attack packet.
f) What may happen if a system runs out of storage space?
When the system nears the point to running out of storage space, the IDS will transfer the log file to backup and start a new log file.
g) Why is limiting the size of log files necessary but unfortunate?
Limiting the size of log files is necessary to avoid exceeding storage capacity, and this limits the amount of log file data available for historical analysis.
Honeypots
23.a) What is a honeypot?
A honeypot is a fake server or entire network segment with multiple clients and servers.
b) How can honeypots help companies detect attackers?
Because legitimate users will not access the honeypot network assets, honeypot activities normally are attacker activities.
c) Could a honeypot attract unwanted attention from attackers?
Yes, due to the number of ports being faked, a honeypot could attract additional attention from attackers looking for a specific service, operating system, or port.
Business Continuity Planning
24.a) What do business continuity plans specify?
Business continuity plans specify how a company will maintain or restore core business operations after disasters.
b) Distinguish between business continuity plans and IT disaster recovery plans.
Business continuity plans specify how a company, as a whole, will maintain or restore core business operations after disasters.
Disaster recovery plans are geared only toward IT functions after a disaster.
Principles of Business Continuity Management
25.a) What four protections can firms provide for people during an emergency?
They are evacuation plans and drills, not allowing people to go back inside, accounting of all members, and counseling after a disaster.
b) Why is accounting for all personnel important? (The answer is not in the text.)
Accounting for all personnel is important because it confirms that the company believes in its employees, takes care of them, and demonstrates corporate citizenship.
c) Why does human cognition in crises call for extensive pre-planning and rehearsal?
Human cognition in crises is stifled; only extensive preplanning and practice will provide a decent chance of proper human action during a crisis.
d) Why is it necessary not to make plans and processes for crisis recovery too rigid?
Avoiding rigidity is key because each crisis will be somewhat unique and require flexibility to address unexpected conditions.
e) Why do communication systems tend to break down during crises?
Communications systems tend to rely on electrical power, which usually does not survive long during crises.
Business Process Analysis
26.a) List the four steps in business process analysis?
Identification of business processes and interrelationships
Prioritization of business processes
Specification of resource needs
Specifications of actions and sequences
b) Explain why each is important.
Identification of business processes and their interrelationships is important because all business processes must be identified and understood in order to move to next step.
Prioritization of business processes is important because it is used to help the firm restore the most important functions of the business first.
Specifying resource needs is important because specifying resource needs is very necessary when there are disruptions during and after the disaster.
Specifying actions and sequences is important because specifying precise actions and sequences will get the job done.
Testing and Updating the Plan
27.a) Why are business continuity plans more difficult to test than incident response plans?
The processes involved in incident response are complex, but business continuity response processes are far more complex and therefore far more difficult to test.
b) Why is frequent plan updating important?
Frequent plan updating is important because business conditions change constantly and because businesses reorganize constantly.
c) Why must companies update contact information even more frequently?
The people holding specific roles changes very frequently.
d) For what two reasons is a permanent business continuity staff necessary?
The reason a permanent business continuity staff is necessary is because there is constant updating and the staff will act as the operational manager when there is a disaster.
IT Disaster Recovery
28.a) What is IT disaster recovery?
IT disaster recovery looks specifically at the technical aspects of how a company can get IT back into operation using backup facilities.
b) Why is it a business concern?
IT disaster recovery is a business concern because decisions that seem purely technical may have major implications for the business that IT professionals may not accept and should not have the authority to make.
Types of Backup Facilities
29.a) What are the main alternatives for backup sites?
The main alternatives for backup sites are hot sites, cold sites and continuous data protection (CDP).
b) What is the strength of each?
Hot sites have everything ready to go in an emergency and have little downtime. Cold sites offer the physical facilities to support a backup site, but do not have the equipment in place that a hot site does; this is cheaper than a hot site. CDP provides continuous data protection with instantaneous recovery.
c) What problem or problems does each raise?
Hot sites are very expensive, cold sites take significant time to procure and install needed equipment and software, and CDP sites usually cannot handle duties of both sites and must prioritize applications.
d) Why is CDP necessary?
CDP is necessary if any down time will significantly impact the business, which it almost always will.
Office PCs
30.What three things should a firm do about disaster recovery planning for office PCs?
For recovery planning for office PCs a company should first do backup of everything. Then the firm should get in touch with computer vendors to preorder for new office PCs. Finally, a firm should find a good working environment to use the office PCs, especially if the office is damaged.
Restoration of Data and Programs
31.a) What must be done to restore data at a backup site via tapes?
First the backup tapes must be delivered to the backup site; then the backup site must have the proper equipment to do the restoration.
b) How does this change if a firm uses continuous data protection?
With CDP, the backup site already has the proper equipment and data and recovery is instantaneous.
Walmart and Hurricane Katrina
1.a) Why was Walmart able to respond quickly?
Walmart was able to respond quickly because it had a disaster preparedness mechanism in place that was well trained and operationally proficient. They had detailed business continuity plans, a full-time staff, a crises command center, and an economic need to get into business back as soon as possible.
b) List at least three actions that Walmart took that you might not have thought of.
Three actions that Walmart took that I might not have thought of include sending additional security personnel to stores in preparation for possible looting, providing meals, ammunition, etc. to local law enforcement for free, ordering 40 emergency power generators for stores that lacked them.
Walmart sent out bleach and mops to its stores.
Walmart sent ammunition and protective gear for police and relief workers.
Walmart developed a business continuity center which specializes in disaster planning.
Incidents Happen
2.a) Can good planning and protection eliminate security incidents?
No amount of planning can eliminate security incidents, but good planning can provide a baseline to build off of to recover quickly.
b) What three things are successful attacks commonly called?
Successful attacks are commonly called security incidences, breaches, and compromises.
Incident Severity
3.a) What are the four severity levels of incidents?
The four severity levels of incidents are false alarms, minor incidents, major incidents, and disasters
b) What is the purpose of a CSIRT?
The purpose of a CSIRT is to respond to severe computer security incidents with impacts that are too large for the on-duty IT staff to handle.
c) From what parts of the firm do its members come?
CSIRT members come from legal, PR, IT, and senior management.
d) What is business continuity?
Business continuity is the maintenance of the day-to-day revenue generating operations of the firm.
e) Who should head the business continuity team?
A senior manager should head the business continuity team.
Speed and Accuracy
4.a) Why is speed of response important?
Speed of response is important because it can reduce damage. The attacker will have less time to do damage, the attacker cannot burrow as deeply into the system and become very difficult to detect, and speed is also necessary for recovery.
b) Why is accuracy of response important?
Accuracy of response is equally as important as speed. There is a common mistake to act on incorrect assumptions. If the problem is misdiagnosed or the wrong approach is taken, things can get much worse.
c) Define incident response in terms of planning.
Incident response is reacting to incidents according to plan.
d) Why are rehearsals important?
Rehearsals improve speed and accuracy. Rehearsals are critical because no plan is useful until it is tested to find out its faults in implementation.
e) What is a walkthrough or table-top exercise?
A walkthrough or table-top exercise is where managers and other key personnel get together and discuss, step by step, what each will do during an incident. These exercises also involve people from many departments.
f) Why is a live test better?
Live tests are better than walkthroughs because live tests reveal subtleties that walkthroughs may miss or may not be able to address.
g) What is the problem with live tests?
The problem with live tests is that they are very expensive.
The Intrusion Response Process for Major Incidents
Detection, Analysis, and Escalation
5.a) Distinguish between detection and analysis.
Detection is learning that an incident has occurred. Analysis is a deeper understanding of the incident to determine its damage potential and to gather information needed to begin containment and recovery.
b) Why is good analysis important for the later stages of handling an attack?
When proper analysis is done and gives good information, the company can proceed effectively through later stages of handling an attack.
c) What is escalation?
Escalation is passing the incident up to the CSIRT or business continuity team.
Containment
6.a) What is containment?
Containment is stopping the damage.
b) Why is disconnection undesirable?
Disconnection is undesirable because it prevents legitimate business users from getting to a necessary server, which amounts to lost revenue.
c) What is black holing?
Black holing the attacker’s IP address means to drop all future packets from that that IP address.
d) Why may it only be a temporary containment solution?
Black holing is usually only effective against attacks from amateur hackers that do not have the resources to use bots or other agents to continue an attack.
e) Why might a company allow an attacker to continue working in the system for a brief period of time?
A company may allow an attacker to continue working in a system for a brief period of time in order to collect data on what the attacker is doing in order to collect evidence for prosecution.
f) Why is this dangerous?
The longer attackers are in a system, the more invisible they become through the deletion of IDS logs, and the more backdoors and other damage the attackers can create.
g) Who should make decisions about letting an attack continue or disconnecting an important system?
Senior business executives should make the decision to let an attack continue.
Recovery
7.a) What are the three major recovery options?
1. Repair during continuing server operation
2. Restoration from back up tapes
3. Total software reinstallation
b) For what two reasons is repair during continuing operation good?
Repair during continuing server operation might be good because doing this on a server with a critical function keeps those services available to users. It also means that no data is lost because there is no need to resort to backup tapes, which only contain information since the last backup.
c) Why may it not work?
Unfortunately, it is very difficult to root out all of the Trojan horses, registry entries, rootkits, and other unpleasant surprises planted by an attacker. For a virus or worm attack, there sometimes are programs that remove the specific artifacts created by the specific attack. For handcrafted break-ins, however, there is no general detection program, and there always is a strong concern that “we may have missed one.”
d) Why is the restoration of data files from backup tapes undesirable?
Restoration of data files from tape takes a long time and data collected since the last backup will be lost.
e) What are the potential problems with total software reinstallation?
Total software reinstallation does not address lost data since last backup and the software will have to be re-baselined to proper security, a time consuming process.
f) How does having a disk image reduce the problems of total software reinstallation?
Disk imaging reduces the problem of having to re-baseline the system to proper security levels.
Apology
8.What are the three rules for apologies?
The three rules of apologies are acknowledge responsibility and harm, explain what happened, and explain follow on actions and compensation if any.
Punishment
9.a) Is it easier to punish employees or to prosecute outside attackers?
It is easier to punish employees than to prosecute outside attackers.
b) Why do companies often not prosecute attackers?
Companies do not often prosecute attackers because prosecution is expensive (total cost and effort), with a low probability of success, and the possible loss of reputation from a public prosecution showing it could not prevent the attack in the first place, and worse if they lose the prosecution.
c) What is forensics evidence? Contrast what cybercrimes the FBI and local police investigate.
Forensic evidence is evidence that is acceptable for court proceedings. The FBI investigates matters of interstate commerce and some other attacks. Local police investigate violations of local and state laws.
d) Why should both be called?
Both should be called because one or both may have jurisdiction based upon the circumstances of the incident.
e) Under what conditions will you need to hire a forensics expert?
For civil lawsuits the company must use a certified forensics expert to collect data and interpret it in court. If it attempts to collect evidence on its own, the evidence probably will not be permissible in court.
f) Why should you hire a forensics expert rather than doing your own investigation?
A forensic expert should be hired because they are experts in the field and know how best to handle evidence once detected. Also, they are allowed to give interpretative testimony.
g) What is the chain of evidence, and why is documenting it important?
Chain of evidence is the documented history of all transfer of evidence between people and all actions taken to protect the evidence while in each person’s possession. Without this documentation, the evidence may be rejected from being used in court.
Postmortem Evaluation
10.Why should companies undertake a postmortem evaluation after an attack?
Conducting an after action review allows the company to determine what went wrong or right after an attack in order to improve the response process.
Organization of the CSIRT
11.a) Why should a senior manager head the CSIRT?
Because all security decisions during a major incident are business decisions, a senior manager should head the CSIRT.
b) Why should members of affected line departments be on CSIRT?
Decisions cannot be made intelligently without an understanding of how affected line department will be impacted.
c) Who is the only person who should speak on behalf of the firm?
The only person that should speak on behalf of a firm should be the PR director.
d) Why should the firm’s legal counsel be on the CSIRT?
The firm’s legal counsel should be on the CSIRT to place actions in the proper legal framework and advise on the legal implications of various actions.
e) Why should a firm’s human resource department be on the CSIRT?
The firms HR department should be on the CSIRT to offer guidance on labor issues and implement sanctions on employees, if required.
Legal Considerations
Criminal versus Civil Law
12.a) What different actions do criminal and civil law deal with?
Criminal law deals with violations of criminal statutes. Civil law deals with interpretations of rights and duties that companies or individuals have relative to each other.
b) How do punishments differ in civil and criminal law?
Criminal punishments include jail time and fines; civil penalties only result in fines and or orders to a defendant not to take certain actions.
c) Who brings lawsuits in civil and criminal cases?
Prosecutors charge defendants in a criminal case; plaintiffs bring a case against a defendant in a civil case.
d) What is the normal standard for deciding a case in civil and criminal trials?
Criminal trials require proving a defendant’s guilt beyond a reasonable doubt; civil trials require proving a defendants liability with a preponderance of the evidence (>50%).
e) What is mens rea?
Mens rea is when the prosecutor must prove the defendant was in a certain mental state, such as having the intention to commit the act.
f) In what type of trial is mens rea important?
Mens rea is important in criminal cases.
g) Can a person be tried separately in a criminal trial and later in a civil trial?
Yes. A defendant whose actions violate both criminal and civil rules may be criminally prosecuted by the state and later civilly sued by a victim for monetary damages.
Jurisdictions
13.a) What is case law?
Decisions based on individual cases set precedents for how laws are interpreted in trials.
b) What are jurisdictions?
Jurisdictions are areas of responsibility within which authorities can make and enforce laws but beyond which they cannot.
c) What is cyberlaw?
Cyberlaw is any law dealing with information technology.
d) What are the three levels of U.S. federal courts?
The three levels of U.S. federal courts are
•94 U.S. District Courts
•13 U.S. Circuit Courts of Appeal
•The U.S. Supreme Court
e) Which levels can create precedents?
The U.S. Circuit Courts of Appeal and Supreme Court can create precedents.
f) Does federal jurisdiction typically extend to computer crimes that are committed entirely within a state and that do not have a bearing on interstate commerce?
Crimes that are committed entirely within a state do not normally meet federal jurisdiction guidelines.
g) Who is likely to investigate a cybercrime that takes place within a city?
The local police are likely to investigate a cybercrime that takes place within a city.
h) Are international laws regarding cybercrime fairly uniform?
No, they are not. Internationally, cybercrime laws vary widely.
i) Why should companies that do business only within a country be concerned about international cyberlaw?
Because the laws involving computers are different between countries and are largely and rapidly changing. International law is important for multinational companies and even for companies who only deal with customers or suppliers in other countries.
Evidence and Computer Forensics
14.a) Why will courts not admit unreliable evidence?
Courts will not admit unreliable evidence because there is a belief that juries cannot be trusted to evaluate unreliable evidence properly.
b) What a computer forensics expert?
A computer forensics expert is a professional who is trained to collect and evaluate computer evidence in ways that are likely to be admissible in court.
c) What type of witness is allowed to interpret facts for juries?
Expert witnesses are allowed to interpret facts for juries.
d) Why should companies work with forensics professionals before they have a need for them?
Given the importance of admissibility, companies should use forensics experts when prosecution is anticipated and they should have prior discussion with their chosen forensics experts to understand what may be required.
U.S. Federal Cybercrime Laws
15.a) What section of which title of the United States Code prohibits hacking?
18 U.S.C. § 1030 is the U.S. Code that prohibits hacking.
b) What other attacks does it prohibit?
It also prohibits DoS and malware attacks.
c) Does it protect all computers?
18 U.S.C. § 1030 only protects “protected computers” including government computers, financial institution computers, and any computer used in interstate or foreign commerce or communications.
d) What are damage thresholds?
Damage thresholds are minimum amounts of damage that must occur before attackers are in violation of the law.
e) What types of acts does 18 U.S.C § 2511 prohibit?
18 U.S.C. § 2511 prohibits the interception of electronic messages, both en route and after the message is received and stored, with the exception of e-mail systems owned by a company.
Intrusion Detection Systems (IDSs)
16.a) What is an IDS?
An intrusion detection system is software and hardware that captures suspicious network and host activity data in event logs and provides automatic tools to generate alarms, as well as query and reporting tools to help administrators analyze the data interactively during and after an incident.
b) Is an IDS a preventative, detective, or restorative control?
It is only a detective control. Of course, if attackers believe that they are likely to be caught by the IDS, it may have preventative benefits.
c) What are false positives?
False positives in an IDS are known as false alarms.
d) Why are false positives problems for IDSs?
IDSs tend to be ignored if they generate many false positives.
Functions of an IDS
17.a) What are the four functions of IDSs?
The four functions of IDSs are logging, automated analysis, administrator actions, and management.
b) What are the two types of analysis that IDSs usually do?
Two types of analysis IDSs usually do are attack signature detection and anomaly detection.
c) What types of action did this section mention?
Actions mentioned include alarms and log summary reports with interactive manual log analysis tools.
d) What information should alarms contain?
Alarms should give the security administrator a description of what the problem is, a way to test the alarm for accuracy, and advice about what the security administrator should do.
e) What is the purpose of log summary reports?
Log summary reports list various types of suspicious activity. They also indicate threat priority by type of threat or by statistical analysis indicating high frequency. The purpose of log summary reports is to give IDS administrators notice of threats that aren’t high risk or detected by alarms.
f) Describe interactive log file analysis.
Interactive log file analysis allows administrators to drill down into log files to better understand an ongoing or completed attack while filtering out irrelevant entries.
Distributed IDSs
18.a) What is the advantage of a distributed IDS?
A distributed IDS can collect data from many devices at a central manager console to allow a security manager to detect a more complex attack.
b) Name the elements in a distributed IDS.
There is a manager, integrated log file, agent host IDS, agent network IDS, and an IDS vendor.
c) Distinguish between the manager and agents.
The agent collects event data and stores them in log files on the monitoring devices. The manager program is responsible for integrating the information from the multiple agents that run on multiple monitoring devices.
d) Distinguish between batch and real-time transfers for event data.
In batch transfers, the agent waits until it has several minutes or several hours of data and then sends a block of log file data to the manager.
In real-time transfers, each event’s data goes to the manager immediately.
e) What is the advantage of each type?
Batch transfer is the least expensive (has the lowest network load), while real-time transfer allows capturing of log files without worrying about attackers deleting log files.
f) What two types of communication must be secure?
Communication between IDS agents and manager should be secure in order to ensure an attacker cannot spoof either and cause mass confusion to the IDS.
Network IDSs (NIDSs)
19.a) At what information do NIDSs look?
NIDSs look at all information traveling through the network.
b) Distinguish between stand-alone NIDSs and switch-based or router-based NIDSs.
Stand-alone NIDSs are boxes located at various points in the network. They read and analyze all network frames that pass by them. They essentially are corporate-owned sniffers. Switch NIDSs and router NIDSs are switches and routers that have IDS software. Typically, these capture data on all ports.
c) What are the strengths of NIDs?
The strength of NIDSs is that they can see all packets passing through some locations in the network. Often, these packets are highly diagnostic of attacks.
d) What are the two weaknesses of NIDSs?
The two weaknesses of NIDSs are they leave blind spots on the network where no NIDSs are placed and NIDSs cannot read encrypted data.
Host IDSs
20.a) What is the major attraction of a HIDS?
The main attraction of HIDSs is that they provide highly specific information about what happened on a particular host. This is important for problem diagnosis.
b) What are the two weaknesses of host IDSs?
The two weakness of HIDSs are that they have limited views of what is happening on the network (can only see on that host) and HIDSs can be compromised if the system is owned by an attacker.
c) List some things at which host operating system monitors look.
Some things host operating system monitors look at are multiple failed logins, creating new accounts, adding new executables (programs—may be attack programs), modifying executables (installing Trojan horses does this), adding registry keys (changes how system works), and changing or deleting system logs and audit files.
Log Files
21.a) Why are integrated log files good?
Integrated log files are good because they are an aggregation of event logs from multiple IDSs.
b) Why are they difficult to create?
They are difficult to create because of format incompatibilities.
c) Explain the time synchronization issue for integrated log files.
If the times on the various IDSs are off by even a few thousandths of a second, it will be extremely difficult to see what is happening at a particular moment in time—especially if the attack is automated and occurs quickly.
d) How do companies achieve time synchronization?
Companies achieve time synchronization using the Network Time Protocol (NTP) service.
e) What is event correlation?
Event correlation is analysis of suspicious patterns in a series of events across multiple devices.
f) Distinguish between aggregation and event correlation.
Aggregation is the collection of all log files; event correlation requires analysis to determine related attack patterns.
g) Why is analyzing log file data difficult?
Analyzing log file data is difficult because the relevant event exists in much larger event streams that are logged.
h) In Error! Reference source not found., how long is the delay between the first attempted login and the second?
The delay is 44.28 seconds.
i) Does this indicate that the attack is a human attack or an automated attack?
This is most likely a human attack (based upon memory of the logs) because the attack is done in a reasonably human amount of time.
Managing IDSs
22.a) What is precision in an IDS?
Precision in IDS means that the IDS should report all attack events and report as few false alarms as possible.
b) What are false positives, and why are they bad?
False positives are also known as false alarms and they are bad because they will outnumber true alarms ten-to-one or even more. In fact, the large number of false positives generated by IDSs is the major problem with IDSs today, causing many firms to stop using them after a trial period.
c) What are false negatives, and why are they bad?
False negatives are failures to report true attack activities. They are bad because they fail to notify of a valid attack.
d) How can tuning reduce the number of false positives?
Tuning turns off unnecessary rules and reduces the severity level in the alarms generated by other rules to limit the total number of false positives.
e) What does an IDS do if it cannot process all of the packets it receives?
IDSs that are overwhelmed by packets will simply skip packets and possibly miss a valid suspicious attack packet.
f) What may happen if a system runs out of storage space?
When the system nears the point to running out of storage space, the IDS will transfer the log file to backup and start a new log file.
g) Why is limiting the size of log files necessary but unfortunate?
Limiting the size of log files is necessary to avoid exceeding storage capacity, and this limits the amount of log file data available for historical analysis.
Honeypots
23.a) What is a honeypot?
A honeypot is a fake server or entire network segment with multiple clients and servers.
b) How can honeypots help companies detect attackers?
Because legitimate users will not access the honeypot network assets, honeypot activities normally are attacker activities.
c) Could a honeypot attract unwanted attention from attackers?
Yes, due to the number of ports being faked, a honeypot could attract additional attention from attackers looking for a specific service, operating system, or port.
Business Continuity Planning
24.a) What do business continuity plans specify?
Business continuity plans specify how a company will maintain or restore core business operations after disasters.
b) Distinguish between business continuity plans and IT disaster recovery plans.
Business continuity plans specify how a company, as a whole, will maintain or restore core business operations after disasters.
Disaster recovery plans are geared only toward IT functions after a disaster.
Principles of Business Continuity Management
25.a) What four protections can firms provide for people during an emergency?
They are evacuation plans and drills, not allowing people to go back inside, accounting of all members, and counseling after a disaster.
b) Why is accounting for all personnel important? (The answer is not in the text.)
Accounting for all personnel is important because it confirms that the company believes in its employees, takes care of them, and demonstrates corporate citizenship.
c) Why does human cognition in crises call for extensive pre-planning and rehearsal?
Human cognition in crises is stifled; only extensive preplanning and practice will provide a decent chance of proper human action during a crisis.
d) Why is it necessary not to make plans and processes for crisis recovery too rigid?
Avoiding rigidity is key because each crisis will be somewhat unique and require flexibility to address unexpected conditions.
e) Why do communication systems tend to break down during crises?
Communications systems tend to rely on electrical power, which usually does not survive long during crises.
Business Process Analysis
26.a) List the four steps in business process analysis?
Identification of business processes and interrelationships
Prioritization of business processes
Specification of resource needs
Specifications of actions and sequences
b) Explain why each is important.
Identification of business processes and their interrelationships is important because all business processes must be identified and understood in order to move to next step.
Prioritization of business processes is important because it is used to help the firm restore the most important functions of the business first.
Specifying resource needs is important because specifying resource needs is very necessary when there are disruptions during and after the disaster.
Specifying actions and sequences is important because specifying precise actions and sequences will get the job done.
Testing and Updating the Plan
27.a) Why are business continuity plans more difficult to test than incident response plans?
The processes involved in incident response are complex, but business continuity response processes are far more complex and therefore far more difficult to test.
b) Why is frequent plan updating important?
Frequent plan updating is important because business conditions change constantly and because businesses reorganize constantly.
c) Why must companies update contact information even more frequently?
The people holding specific roles changes very frequently.
d) For what two reasons is a permanent business continuity staff necessary?
The reason a permanent business continuity staff is necessary is because there is constant updating and the staff will act as the operational manager when there is a disaster.
IT Disaster Recovery
28.a) What is IT disaster recovery?
IT disaster recovery looks specifically at the technical aspects of how a company can get IT back into operation using backup facilities.
b) Why is it a business concern?
IT disaster recovery is a business concern because decisions that seem purely technical may have major implications for the business that IT professionals may not accept and should not have the authority to make.
Types of Backup Facilities
29.a) What are the main alternatives for backup sites?
The main alternatives for backup sites are hot sites, cold sites and continuous data protection (CDP).
b) What is the strength of each?
Hot sites have everything ready to go in an emergency and have little downtime. Cold sites offer the physical facilities to support a backup site, but do not have the equipment in place that a hot site does; this is cheaper than a hot site. CDP provides continuous data protection with instantaneous recovery.
c) What problem or problems does each raise?
Hot sites are very expensive, cold sites take significant time to procure and install needed equipment and software, and CDP sites usually cannot handle duties of both sites and must prioritize applications.
d) Why is CDP necessary?
CDP is necessary if any down time will significantly impact the business, which it almost always will.
Office PCs
30.What three things should a firm do about disaster recovery planning for office PCs?
For recovery planning for office PCs a company should first do backup of everything. Then the firm should get in touch with computer vendors to preorder for new office PCs. Finally, a firm should find a good working environment to use the office PCs, especially if the office is damaged.
Restoration of Data and Programs
31.a) What must be done to restore data at a backup site via tapes?
First the backup tapes must be delivered to the backup site; then the backup site must have the proper equipment to do the restoration.
b) How does this change if a firm uses continuous data protection?
With CDP, the backup site already has the proper equipment and data and recovery is instantaneous.